What is the ISO 27000 series?

Updated: November 16, 2023.

If you are working as an ISO 27001 consultant or practitioner, you are probably heavily dependent on the ISO/IEC 27000-series of standards. Since there are quite a lot of them (see the list here), it is a good idea to keep an eye on the most commonly used ones. So, let’s see what ISO 27000 is, and what other standards from the ISO/IEC 27K series are.

The most popular standards from the ISO27k series are ISO 27000, ISO 27001, ISO 27002, ISO 27004, ISO 27005, ISO 27017, ISO 27018, and ISO 27701.

ISO/IEC 27000 – This standard gives an overview of information security management, as well as the vocabulary (explanation of main terms) for information security. ISO 27000 certification is not possible.

ISO/IEC 27001 – This standard gives the framework for the definition, implementation, operation, control, and improvement of an Information Security Management System. ISO 27001 framework is what makes this standard certifiable.

ISO/IEC 27002 – This standard provides guidelines and recommendations for the implementation of controls from Annex A of ISO 27001.

ISO/IEC 27004 – This is the standard that defines how to measure information security.

ISO/IEC 27005 – This standard describes information security risk management.

ISO/IEC 27011 is the standard that provides guidelines for information security management in telecoms.

ISO/IEC TR 27016 is the standard that defines organizational economics for information security management.

ISO/IEC 27017 is the standard that provides the code of practice for data protection in cloud computing services, and it depends heavily on ISO 27002.

ISO/IEC 27018 is the standard that provides the code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, and it depends heavily on ISO 27002.

ISO/IEC 27033-4 is the standard that speaks about network security – on how to secure communications between networks using security gateways.

ISO/IEC 27036-1 is the standard that gives an overview and explains the concepts related to information security and supplier relationships.

ISO/IEC 27036-2 is the main standard that describes the requirements related to information security for supplier relationships.

ISO/IEC 27038 is the standard that gives specifications for digital redaction – redaction here is the term for the process of denying file recipients knowledge of certain sensitive data within the original files.

ISO/IEC 27039 is the standard that describes selection, deployment and operations of intrusion detection systems (IDPS).

ISO/IEC 27043 is another standard that deals with incidents, or to be more precise – with incident investigation principles and processes.

ISO 27701 is the standard that provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

If you’re in this business, you’ll have a lot to read!

To learn about the requirements of the ISO 27001 standard, check out this free white paper Clause-by-clause explanation of ISO 27001.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.